-64- 
CLAIMS 

1 . A method for managing access to a shared resource by a plurality of devices 
that are coupled to the shared resource via a network, the method including acts of: 

(a) in response to a non-media access request by a first of the plurality of devices 
5 to a logical device at the shared resource for which the first device has no data access 

privileges, determining whether the first device is authorized to have non-media access to the 
logical device; and 

(b) authorizing the non-media access request when it is determined in the act (a) 
that the first device is authorized to have non-media access to the logical device. 

10 

2. The method of claim 1, further including an act of: 

(c) denying the non-media access request when it is determined in the act (a) that 
the first device is not authorized to have non-media access to the logical device. 

15 3 . The method of claim 2, wherein the act (c) includes an act of: 

ignoring the non-media access request. 



4. The method of claim 2, wherein the act (b) includes an act of: 
forwarding the non-media access request to a physical device corresponding to the 

20 logical device. 

5. The method of claim 1, wherein the non-media access request is an 
availability request to determine an availability of the logical device, and wherein the act (b) 
includes an act of: 

25 forwarding the availability request to a physical device corresponding to the logical 

device. 



6. The method of claim 1, further including acts of: 

(c) in response to a data access request by the first device to the logical device, 
30 determining whether the first device has data access privileges to the logical device; and 

(d) authorizing the data access request when it is determined in the act (c) that the 
first device has data access privileges to the logical device. 
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7. The method claim 6, farther including an act of: 

(e) denying the data access request when it is determined in the act (c) that the 
first device has no data access privileges to the logical device. 

8. The method of claim 1, wherein the acts (a) and (b) are performed by a filter 
that controls access to a plurality of logical devices at the shared resource, the method further 
including an act of: 

(c) maintaining, in a data structure accessible to the filter, configuration 
information corresponding to the first device, the configuration information including; 

(1) first configuration information identifying each of the plurality of logical 
devices to which data access by the first device is authorized; and 

(2) whether non-media access is authorized to each of the plurality of logical 
devices for which the first configuration information identifies that no data access is 
authorized for the first device. 

9. The method of claim 8, wherein the act (a) includes an act of: 
examining the configuration information corresponding to the first device to 

determine whether the first device is authorized to have non-media access to the logical 
device. 

1 0. The method of claim 1 , wherein the acts (a) and (b) are performed by a filter 
that controls access to a plurality of logical devices at the shared resource, the method further 
including an act of: 

(c) maintaining, in a data structure accessible to the filter, configuration 
information corresponding to the first device, the configuration information identifying; 

(1) each of the plurality of logical devices to which data access by the first 
device is authorized; and 

(2) each of the plurality of logical devices to which non-media access by the 
first device is authorized. 

1 1 . The method of claim 1 , further including an act of: 
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(c) determining whether an access request by the first device is one of a data 
access request and a non-media access request. 

12. The method of claim 1 , wherein the shared resource is a storage system; 

5 wherein the act (a) includes an act of, in response to the non media access request by 

the first device to a logical volume of data at the storage system for which the first device has 
no data access privileges, determining whether the first device is authorized to have non- 
media access to the logical volume; and 

wherein the act (b) includes an act of authorizing the non media access request when 

10 it is determined in the act (a) that the first device is authorized to have non-media access to 
the logical volume. 

13. The method of claim 12, wherein the acts (a) and (b) are performed by the 
storage system. 

15 

14. The method of claim 12, wherein the acts (a) and (b) are performed outside of 
the storage system. 

15. A method for managing access to a storage system by a plurality of devices 
20 that are coupled to the storage system via a network, the storage system including a plurality 

of logical volumes of data, the method including acts of: 

(a) maintaining, in a data structure that is accessible to a filter that controls access 
to each of the plurality of logical volumes, configuration information identifying each logical 
volume of the plurality of logical volumes to which data access by a first device of the 

25 plurality of devices is authorized; 

(b) in response to a non-media access request by the first device to a first logical 
volume for which the first device has no data access privileges, determining whether the first 
device is authorized to have non-media access to the first logical volume; and 

(c) authorizing the non-media access request when it is determined in the act (b) 
30 that the first device is authorized to have non-media access to the first logical volume. 



16. 



The method of claim 15, further including an act of: 
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(d) denying the non-media access request when it is determined in the act (b) that 
the first device is not authorized to have non-media access to the first logical volume. 

17. The method of claim 16, wherein the act (c) includes an act of: 
forwarding the non-media access request to a physical device corresponding to the 

first logical volume. 

1 8. The method of claim 1 5, wherein the act (c) includes an act of: 
forwarding the non-media access request to a physical device corresponding to the 

first logical volume. 

19. The method of claim 15, further including acts of: 

(d) in response to a data access request by the first device to the first logical 
volume, determining whether the first device has data access privileges to the first logical 
volume; and 

(e) authorizing the data access request when it is determined in the act (d) that the 
first device has data access privileges to the first logical volume. 

20. The method claim 1 9, further including an act of: 

(f) denying the data access request when it is determined in the act (d) that the 
first device has no data access privileges to the first logical volume. 

21 . The method of claim 15, wherein the filter is in the storage system and 
wherein the acts (a), (b), and (c) are performed by the storage system. 

22. The method of claim 15, wherein the filter is outside of the storage system, 
and wherein the acts (a), (b), and (c) are performed outside of the storage system. 

23 . The method of claim 15, further including an act of: 

(d) determining whether an access request by the first device is one of a data 
access request and a non-media access request. 
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24. The method of claim 1 5, wherein the non-media access request is an 
availability request to determine an availability of the first logical volume, and wherein the 
act (c) includes an act of: 

forwarding the availability request to a physical storage device corresponding to the 
5 first logical volume. 

25. The method of claim 1 5, wherein the act (a) includes an act of: 
maintaining, in the data structure that is accessible to the filter, configuration 

information that includes first configuration information identifying each logical volume of 
10 the plurality of logical volumes to which data access by the first device is authorized and 

second configuration information identifying whether non-media access is authorized to each 
of the plurality of logical volumes for which the first configuration information identifies that 
no data access is authorized for the first device. 

15 26. The method of claim 25, wherein the act (b) includes an act of: 

examining the second configuration information to determine whether the first device 
is authorized to have non-media access to the first logical volume. 

27. The method of claim 15, wherein the act (a) includes an act of: 
20 maintaining, in the data structure that is accessible to the filter, configuration 

information that identifies each logical volume of the plurality of logical volumes to which 
data access by the first device is authorized and each of the plurality of logical volumes to 
which non-media access by the first device is authorized. 

25 28. An apparatus for use in a computer system including a plurality of devices, a 

shared resource, and a network that couples the plurality of devices to the shared resource, 
the apparatus comprising: 

an input to be coupled to the network; and 

at least one filter, coupled to the input, that is responsive to a non-media access 
30 request by a first of the plurality of devices to a logical device at the shared resource for 
which the first device has no data access privileges, to determine whether the first device is 
authorized to have non-media access to the logical device, and to authorize the non-media 
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access request when it is determined that the first device is authorized to have non-media 
access to the logical device. 

29. The apparatus of claim 28, wherein when it is determined that the first device 
5 is not authorized to have non-media access to the logical device, the at least one filter denies 

the non-media access request. 

30. The apparatus of claim 29, wherein the shared resource includes a plurality of 
storage devices coupled to the at least one filter, and wherein when it is determined that the 

10 first device is authorized to have non-media access to the logical device, the at least one filter 
forwards the non-media access request to a storage device corresponding to the logical 
device. 

3 1 . The apparatus of claim 28, wherein when it is determined that the first device 
15 is not authorized to have non-media access to the logical device, the at least one filter ignores 

the non-media access request. 

32. The apparatus of claim 28, wherein: 

the shared resource includes a plurality of storage devices coupled to the at least one 

20 filter; 

the non-media access request is an availability request to determine an availability of 
the logical device; and 

when it is determined that the first device is authorized to have non-media access to 
the logical device, the at least one filter forwards the request to a storage device 
25 corresponding to the logical device. 

33. The apparatus of claim 28, wherein in response to a data access request by the 
first device to the logical device, the at least one filter determines whether the first device has 
data access privileges to the logical device; 

30 wherein the at least one filter authorizes the data access request when it is determined 

that the first device has data access privileges to the logical device; and 



-70- 

wherein the at least one filter denies the data access request when it is determined that 
the first device has no data access privileges to the logical device. 

34. The apparatus of claim 28, wherein the apparatus further comprises: 
a data structure, accessible to the at least one filter, that stores configuration 

information corresponding to the first device that includes first configuration information 
identifying each of a plurality of logical devices at the shared resource to which data access 
by the first device is authorized, and second configuration information identifying whether 
non-media access is authorized to each of the plurality of logical devices for which the first 
configuration information identifies that no data access is authorized for the first device. 

35. The apparatus of claim 34, wherein the at least one filter examines the second 
configuration information corresponding to the first device to determine whether the first 
device is authorized to have non-media access to the logical device. 

36. The apparatus of claim 28, wherein the apparatus further comprises: 
a data structure, accessible to the at least one filter, that stores configuration 

information corresponding to the first device that identifies each of a plurality of logical 
devices at the shared resource to which data access by the first device is authorized and each 
of the plurality of logical devices to which non-media access by the first device is authorized. 

37. The apparatus of claim 28, wherein in response to an access request by the 
first device to the logical device, the at least one filter examines the access request to 
determine whether the access request is one of a data access request and a non-media access 
request. 

38. The apparatus of claim 28, wherein the shared resource is a storage system; 
wherein the logical device is a logical volume of data stored at the storage system; 

and 

wherein in response to the non media access request by the first device to the logical 
volume of data at the storage system for which the first device has no data access privileges, 
the at least one filter determines whether the first device is authorized to have non-media 
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access to the logical volume, and authorizes the non media access request when it is 
determined that the first device is authorized to have non-media access to the logical volume. 

39. The apparatus of claim 38, in combination with the storage system, wherein 
5 the at least one filter and the input each is disposed within the storage system. 

40. The apparatus of claim 3 8, further comprising: 

a data structure, accessible to the at least one filter, that stores configuration 
information corresponding to the first device that includes first configuration information 
10 identifying each of a plurality of logical volumes of data stored at the storage system to which 
data access by the first device is authorized, and second configuration information identifying 
whether non-media access is authorized to each of the plurality of logical volumes for which 
the first configuration information identifies that no data access is authorized for the first 
device. 

15 

41. The apparatus of claim 40, in combination with the storage system, wherein 
the at least one filter, the input, and the data structure each is disposed within the storage 
system. 

20 42. The apparatus of claim 38, wherein the at least one filter and the input each is 

disposed outside of the storage system. 

43. A computer readable medium, comprising: 

a data structure relating to access management by a plurality of network devices to 
25 data stored on a plurality of logical devices of a shared resource, the data structure including 
a plurality of records each corresponding to one of the plurality of network devices, a first 
record of the plurality of records corresponding to a first of the plurality of network devices 
and including configuration information identifying each logical device of the plurality of 
logical devices to which data access by the first network device is authorized, the first record 
30 further including visibility information identifying whether the first network device is 

authorized to have non-media access to a first logical device of the plurality of logical 
devices when the configuration information corresponding to the first network device 



-72- 

identifies that no data access to the first logical device from the first network device is 
authorized. 

44. The computer readable medium of claim 43, wherein the first record further 
5 includes visibility information identifying whether the first network device is authorized to 
have non-media access to each logical device of the plurality of logical devices when the 
configuration information corresponding to the first network device identifies that no data 
access to at least one of the plurality of logical devices is authorized. 

10 45. The computer readable medium of claim 43, wherein each respective record of 

the plurality of records includes configuration information identifying each logical device of 
the plurality of logical devices to which data access by a respective network device is 
authorized, each respective record further including visibility information identifying whether 
the respective network device is authorized to have non-media access to each logical device 

1 5 of the plurality of logical devices. 

46. The computer readable medium of claim 43, wherein each respective record of 
the plurality of records includes configuration information identifying each logical device of 
the plurality of logical devices to which data access by a respective network device is 
20 authorized, each respective record further including visibility information identifying whether 
the respective network device is permitted to have non-media access to a respective logical 
device of the plurality of logical devices when the configuration information identifies that no 
data access to the respective logical device from the respective network device is authorized. 

25 47. The computer readable medium of claim 43, in combination with the shared 

resource, wherein the shared resource is storage system, and wherein the computer readable 
medium is a storage device of the storage system. 

48. An apparatus for use in a computer system including a plurality of devices, a 
30 storage system, and a network that couples the plurality of devices to the storage system, the 
apparatus comprising: 

an input to be coupled to the network; 
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a data structure that stores configuration information identifying each logical volume 
of data of a plurality of logical volumes of data stored on the storage system to which data 
access by a first device of the plurality of devices is authorized; and 

at least one filter, coupled to the input, that is responsive to a non-media access 
request by a first of the plurality of devices to a first logical volume of data of the plurality of 
logical volumes of data for which the first device has no data access privileges, to determine 
whether the first device is authorized to have non-media access to the first logical volume of 
data, and to authorize the non-media access request when it is determined that the first device 
is authorized to have non-media access to the first logical volume of data. 

49. The apparatus of claim 48, wherein when it is determined that the first device 
is not authorized to have non-media access to the first logical volume of data, the at least one 
filter denies the non-media access request. 

50. The apparatus of claim 49, wherein the storage system includes a plurality of 
storage devices coupled to the at least one filter, and wherein when it is determined that the 
first device is authorized to have non-media access to the first logical volume of data, the at 
least one filter forwards the non-media access request to a storage device corresponding to 
the first logical volume of data. 

5 1 . The apparatus of claim 48, wherein when it is determined that the first device 
is not authorized to have non-media access to the first logical volume of data, the at least one 
filter ignores the non-media access request. 

52. The apparatus of claim 48, wherein in response to a data access request by the 
first device to the first logical volume of data, the at least one filter determines, based upon 
the configuration information stored in the data structure, whether the first device has data 
access privileges to the first logical volume of data; 

wherein the at least one filter authorizes the data access request when it is determined 
that the first device has data access privileges to the first logical volume of data; and 

wherein the at least one filter denies the data access request when it is determined that 
the first device has no data access privileges to the first logical volume of data. 
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53 . The apparatus of claim 48, wherein the configuration information stored in the 
data structure further identifies whether non-media access by the first device is authorized for 
each of the plurality of logical volumes of data stored on the storage system. 

5 

54. The apparatus of claim 48, wherein the configuration information stored in the 
data structure is first configuration information, the data structure further including second 
configuration information that identifies whether non-media access is authorized to each of 
the plurality of logical volumes of data for which the first configuration identifies that no data 

10 access is authorized for the first device. 

55. The apparatus of claim 54, wherein the at least one filter examines the second 
configuration information to determine whether the first device is authorized to have non- 
media access to the logical device. 

15 

56. The apparatus of claim 48, wherein in response to an access request by the 
first device to the first logical volume of data, the at least one filter examines the access 
request to determine whether the access request is one of a data access request and a non- 
media access request. 

20 

57. The apparatus of claim 48, in combination with the storage system, wherein 
the at least one filter, the input, and the data structure each is disposed within the storage 
system. 

25 58. The apparatus of claim 3 8, wherein the at least one filter, the data structure, 

and the input each is disposed outside of the storage system. 

59. The apparatus of claim 48, in combination with the storage system, wherein 
the at least one filter and the input each is disposed within the storage system, and wherein 
30 the data structure is disposed outside of the storage system. 



60. 



A storage system, comprising: 
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a plurality of storage devices that store a plurality of logical volumes of data; 

a data structure to store configuration information identifying whether a first network 
device of a plurality of network devices that are coupled to the storage system is authorized to 
access data on a first logical volume of the plurality of logical volumes; and 

a filter, responsive to the configuration information stored in the data structure, to 
selectively forward non-media access requests from the first network device to the first 
logical volume when the configuration information identifies that no data access to the first 
logical volume from the first network device is authorized. 

61 . The storage system of claim 60, wherein the filter selectively forwards the 
non-media access request from the first network device to at least one of the plurality of 
storage devices that corresponds to the first logical volume when the configuration 
information identifies that no data access to the first logical volume from the first network 
device is authorized. 

62. The storage system of claim 60, wherein the configuration information further 
identifies whether the first network device is authorized to have non-media access to the first 
logical volume when no data access to the first logical volume from the first network device 
is authorized. 

63. The storage system of claim 62, wherein the filter forwards non-media access 
requests from the first network device to the first logical volume when the configuration 
information identifies that non-media access by the first network device to the first logical 
volume is authorized, and denies the non-media access request from the first network device 
to the first logical volume when the configuration information identifies that non-media 
access by the first network device to the first logical volume is not authorized and that no 
data access to the first logical volume from the first network device is authorized. 

64. The storage system of claim 63, wherein the filter, in response to an access 
request from the first network device to the first logical volume for which the configuration 
information identifies that no data access is authorized, examines the access request to 
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determine whether the access request is one of a data access request and a non-media access 
request. 

65. The storage system of claim 60, wherein the filter, responsive to the 
5 configuration information stored in the data structure, forwards access requests from the first 
network device to at least one of the plurality of storage device corresponding to the first 
logical volume when the configuration information identifies that data access to the first 
logical volume from the first network device is authorized. 

10 66. The storage system of claim 60, wherein the data structure includes a plurality 

of records each corresponding to a respective one of the plurality of network device, each of 
the plurality of records including first configuration information identifying each of the 
plurality of logical volumes to which data access by the respective one of the plurality of 
network devices is authorized, and second configuration information identifying whether 

15 non-media access to each of the plurality of logical volumes by the respective one of the 
plurality of network devices is authorized for which the first configuration information 
identifies that no data access by the respective one of the plurality of network device is 
authorized. 



20 



